In Conversation: Board leadership in relation to cyber risk - UK Corporate Governance Code 2024
Published: 18 August 2025
10 minute read
For the third episode of the FRC's podcast series exploring the UK Corporate Governance Code 2024, Kate O’Neill, Director of Stakeholder Engagement and Corporate Affairs, is joined by Maureen Beresford, Director of Corporate Governance and Stewardship at the FRC, and Wendy Barnes, portfolio non-executive director and cyber resilience advisor.
The conversation focuses on the growing importance of cyber risk in corporate governance, particularly in light of the revised Code coming into effect in 2026. They discuss how boards can approach cyber risk as a strategic issue rather than a purely technical one, the role of board-level oversight, and the importance of building organisational resilience. The episode also highlights practical tools and frameworks available to support boards in navigating this evolving area.
Transcript
00;00;12;22 - 00;00;50;10
Kate O'Neill
Hello there and welcome to another FRC In Conversation podcast series. My name is Kate O'Neill. I'm the Director of Stakeholder Engagement and Corporate Affairs here at the FRC. This podcast today is one of the series of podcasts in our Corporate Governance podcast that we are releasing over the summer in 2025. Particularly relevant given the revised code, which comes into effect at the beginning of 2026, joined today by Maureen Beresford, the FRC’s Director of Corporate Governance and Stewardship and Wendy Barnes, Portfolio Non-executive Director and cyber resilience advisor.
00;00;50;15 - 00;00;54;16
Kate O'Neill
Welcome, Wendy, and nice to have you back on the podcast, Maureen.
00;00;54;18 - 00;00;56;08
Maureen Beresford
Thank you. Hi, Kate. Good to be here.
00;00;56;08 - 00;01;29;15
Kate O'Neill
So cyber, big word covers a lot of issues for companies. But Maureen, the new code requires companies to carry out a robust assessment of the company's emerging and principal risks and also, report on how those risks are being managed or mitigated. In last year's annual review of corporate governance reporting, the report said that we'd found 89% of companies included cyber security as a principal risk, with a further 7% including it as a risk within their operational principal risk.
00;01;29;16 - 00;01;56;00
Kate O'Neill
I mean, I think we see every day something about data security, the reliance on information, data and digital technology is basically just a part of a company's life. So I guess it's becoming clear that getting cyber on the board’s agenda is difficult without the board thinking that they need an expert to lead on it. Some people would feel that they don't have those skills by which to understand it, and kind of really review it and manage it properly.
00;01;56;01 - 00;02;06;03
Kate O'Neill
So Wendy and Maureen, what role should the board have in ensuring effective oversight of cyber risk management within the organisation? Wendy, why don’t you kick us off.
00;02;06;10 - 00;02;30;00
Wendy Barnes
Okay. Thank you. I think that the oversight of cyber risk can feel familiar, but can also feel scary for boards. I'll pick up the scary one first. Cyber assigning really been a risk as a result of developments in the last ten years or so. And before then, it was really seen as protecting information and it was the concern really or area for the IT teams.
00;02;30;00 - 00;03;04;19
Wendy Barnes
But it's now something that is part of the wider enterprise of the business. It needs to be seen alongside everything else that happens within the organisation, and so the risks can be managed in the same way that other risks can be managed using the main methods of defining the risk assessed in the risks, setting the risk appetite, making sure the mitigations are happening, and what's most important for the board to make sure that they've got that front of mind is that there are the right reports and the right information coming to the board.
00;03;04;22 - 00;03;26;24
Kate O'Neill
Thanks, Wendy. I mean, Maureen, we've talked about this often. That is not for the FRC to use the corporate governance code to dictate what are important to an organisation. This one is just said, I mean, cyber has been an emerging risk and it has gone wider than, dare I say, the IT department. So how do you think boards should be thinking about what is a complex area, an evolving area?
00;03;26;24 - 00;03;30;03
Kate O'Neill
There's no one rule book on cyber risk, for example.
00;03;30;05 - 00;03;52;13
Maureen Beresford
I think that's a really good question, and the point that Wendy made about it being scary is is key to this. I think board members over the last ten, 20 years have looked at strategy, they've looked at finance, they've looked at, you know, all those kind of things that board members have been comfortable with throughout their career. Then cyber comes along in the last ten years and people think, oh, I don't know very much about this.
00;03;52;13 - 00;04;14;22
Maureen Beresford
So I think there can be a tendency to rush to get additional information and maybe to think about getting additional people on the board with the skills of, of cyber, etc.. And Wendy was so correct, saying, this has got to be dealt with as a risk and the controls should be around that risk as you would deal with any other risk and that you would get any other information to support the risk.
00;04;14;22 - 00;04;37;28
Maureen Beresford
Maybe a cyber strategy, how you manage that risk, incident responses, all those things should be part of the thinking of the board, but not that the board directs. They should be comfortable that the organisation has those things in the plans and be able to seek information from maybe the audit committee or maybe HR if there are skills gaps on what's being done to kind of deal with those risks.
00;04;37;28 - 00;04;43;02
Maureen Beresford
I think the board should not panic. And should deal with this as a risk, as Wendy said.
00;04;43;02 - 00;05;07;01
Kate O'Neill
Yeah, bring you in, Wendy, because I think you sensibly said, for some people this is scary and people don't like knowing what they don't know. So, are there tools out there as Maureen was said, obviously the audit committee has a role to play on helping to ensure that the right resilience and assessment is done. But what are the tools that the board could draw on, externally and internally to feel more comfortable about this complex area?
00;05;07;03 - 00;05;27;06
Wendy Barnes
Thanks, Kate. I'll I'll mention the tools in the moment, but just picking up on something, Maureen said. We definitely need to treat cyber risks as we treat other risks, but I also think the board need to recognise there is a difference with cyber risks, and I think that's where perhaps some of the uneasiness and scariness comes in. Because cyber risks are slightly different.
00;05;27;06 - 00;05;51;10
Wendy Barnes
They're always going to be a higher risk. The bad guys are always one step ahead. So actually mitigating the risk down to zero is something that it's not possible for cyber risk. And that can create little bit of unease. And it's a risk where you're not going to be in control, if the risk materialises. So there's a real, real focus as Maureen has said on incident planning.
00;05;51;10 - 00;06;08;07
Wendy Barnes
So you can plan to prevent the risk happening. But it's really, really important to plan for the consequences of the risk occurring. More than I feel any other risk that an organisation has. So it is a bit different. And I think that's something that we need to recognise.
00;06;08;07 - 00;06;35;17
Kate O'Neill
And I guess it's interesting what you've just said, Wendy, because when a cyber there is cyber failure or cyber attack, it's not just about, as you said earlier about data disappearing. It has an impact on the whole organisation in different ways, whether it's reputation, whether it's on consumers and customers, whether it's on supply chain. So more and this has kind of got a wider scope than some of the other risks we've talked about in the past with boards as they think about their material risk, because the knock on effect is huge.
00;06;35;21 - 00;07;03;01
Maureen Beresford
Absolutely. And, you know, they shouldn't just be looking at they as you've just touched on the organisation that's immediate, but they should be thinking about how their suppliers and their partners deal with cyber issues. I mean, we don't have to look very far over the last few weeks to know that some partners might have weaknesses that mean that the companies didn't realise, and there should be systems in place to check those issues out and to make sure that who you're working with can give you confidence of their systems as well.
00;07;03;02 - 00;07;31;11
Maureen Beresford
But again, I think we need to just be clear that this is not for the board to do everything. The boardroom panic. We deal with unitary boards generally in the UK. So I think one of the points I want to make is that we're not expecting going back to the code, that every board should have a cyber expert on board, and I think that sometimes that could be at the detriment of decision making, because we all know that if there's an expert in the room, everybody takes a step back and leaves everything to that one person to make a decision on.
00;07;31;11 - 00;07;44;18
Maureen Beresford
So I think it's really important to remember that, it is a board as a whole that is making the decisions on cyber, with lots and lots of input from all those different areas that we've talked about this morning.
00;07;44;18 - 00;08;24;29
Wendy Barnes
You know, I worked in cyber for over 20 years. So, the boards that I'm on look to me as the person who knows cyber. And that's useful. But it can also mean that not everybody else gets the awareness that's appropriate. And I'm very, very keen on the boards I've worked with or the boards that I'm on to make sure that we raise awareness for everybody around the board table in the board meetings and the ways that I've suggested to people that they can do that is you can get deep dive some briefings on developments, on cyber threats, either by the executives or by somebody, an expert from outside the business.
00;08;25;02 - 00;08;49;22
Wendy Barnes
Doing that once or twice a year is really useful for keeping it front of mind. There's loads of events, loads of webinars around cyber and the easily accessible for non-execs and executives. And the third thing is there's quite a few useful resources that board members can turn to this. The NCSA has got a broad toolkit. It's got governance training for cyber.
00;08;49;25 - 00;09;10;26
Wendy Barnes
They have just issued the Code of Practice on Governance for cyber, which is a really useful tool for checking where the board sits on that code of practice. The other thing is the FRC has got a digital security report, which gives a lot of great questions that the audit committee can ask to get assurance around cyber resilience.
00;09;10;26 - 00;09;31;16
Kate O'Neill
That some does. Some like a lot of helpful toolkits, I guess more than we did covered in the annual report and review last year. I would guess this is just going to be continuum, because it's such an important risk. It affects so many companies that this will just become almost a normalised risk for everyone to be either thinking about educating themselves on and also working out how to report on it.
00;09;31;18 - 00;09;50;27
Maureen Beresford
I think that's right Kate. I mean, as you said, we gave the stats out earlier in this podcast. It's not going to change. And as Wendy said, the people that are trying to attack companies are often one step ahead. So, it's going to continue but also evolve. And the technologies will also evolve to deal with this. So, you can't be over everything as a board.
00;09;50;27 - 00;10;11;02
Maureen Beresford
You've got to take that help that Wendy's just mentioned and just a plug for the FRC as well, we do link to many of the documents that Wendy mentioned in our guidance to the code. So you can link straight through from our website to those toolkits, etc.. But it's always going to be high on board agendas. And just to kind of circle back to where we started, Kate.
00;10;11;03 - 00;10;26;16
Maureen Beresford
And how do you get it on a board agenda? It's very difficult. Board agendas are packed, but cyber can be the one risk that can bring down your company. And I think boards have to make space for that on their agendas and do the deep dives, etc. that Wendy's just be talking about.
00;10;26;18 - 00;10;44;06
Kate O'Neill
I think that's such an interesting point, because I mentioned before the knock on effect when there's a cyber attack or cyber failure, but, you know, it is all linked to how IP of a company is being put at risk through lots of different ways. Use the availability of AI tools, for example. It's not always going to be thought out
00;10;44;08 - 00;10;50;26
Kate O'Neill
Intentional cyber attack. This could happen in a number of unintended ways. I mean, when did you want to come in on that?
00;10;50;26 - 00;11;18;14
Wendy Barnes
Yeah, and I think this is the historical link for cyber creates this impression that it's to do with technology. And it's not always to do with technology. And it's also not always due to technology expert, attacking the organisation, the threat actors or the people who carry out cyber attacks these days can be state nations. It can be activists simply who want to bring down websites to make a point.
00;11;18;14 - 00;11;42;27
Wendy Barnes
It can be an insider threat, somebody who's been exploited or persuaded to get information and to give information to somebody outside the organisation. It can come from so many different ways, which is why really, every business owner, every executive in the executive team has some link to cyber or should look at their part of the business through a cyber lens.
00;11;42;27 - 00;12;05;16
Wendy Barnes
And the board should also look at any board decisions that they have to make through the cyber lens, just by simply asking themselves the question, if we do this, could it create a cyber risk? And then if the answer is no, that's great. But if the answer is yes, that might then trigger some more activity to help pursue that opportunity, but manage the risk at the same time.
00;12;05;18 - 00;12;31;09
Kate O'Neill
I really like that idea of having everyone having that lens and contributing to the better understanding and better management of this important. And let's face it, it's here to stay in any organisation. So listening to both Wendy and Maureen, there's lots of tools out there to help boards and executives feel more confident about even thinking about cyber risk and how to think about the resilience of the organisation to it.
00;12;31;09 - 00;12;51;06
Kate O'Neill
And Maureen, I guess in this year's annual reporting review, we'll be looking at cyber again as to how companies are reporting on it, because thinking about it around the board table, having on the agenda is one thing. But how are boards and companies giving their stakeholders confidence that they're thinking about it in the right way and strengthening the management of this important risk?
00;12;51;06 - 00;13;27;29
Maureen Beresford
That's a really important point here about the reporting. Because we're not expecting companies to report on the detail of their cyber plans, because that would be a hand in information to the actors out there. What we want to see is the processes that the board goes through, the thinking that the board has, the committees that are involved, etc., etc., and really report, as we said many times on the outcomes, what the board has done, what's changed, etc., what controls are you thinking about in terms of cyber, but absolutely not suggesting that anybody should go into the detail, that should give away important information externally.
00;13;28;00 - 00;13;50;13
Wendy Barnes
Yeah. And I think a useful tool for reporting, which fits that bill that more is just described, is that is the new code of practice, because an organisation can assess itself against the code and it is a board assessment. It's a corporate level assessment and can ask itself those questions and answer those questions and can report again that question and answer that they've carried out.
00;13;50;15 - 00;14;03;01
Wendy Barnes
Without giving away too much detail that is commercially sensitive. And I think that's a really good starting point. And it also, if companies start to use the code in that way, it can give a benchmark which could also be useful.
00;14;03;06 - 00;14;28;14
Kate O'Neill
This is an area that does concern many companies who are perhaps getting up to speed on. What does it mean for them? How should they be looking at it? But I think you both make great points. It's great to have the internal processes and checks and balances in place, but you also have to build the confidence externally in the way that you're talking about it, to give your stakeholders across the spectrum the confidence that you're leaning into this risk.
00;14;28;18 - 00;14;37;09
Kate O'Neill
and thinking about it in the appropriate way. Thank you, Maureen Barasa and Wendy Barnes for contributing to this part of our Corporate Governance Summer series.